MS Word users warned of ongoing attacks exploiting unpatched bug

Microsoft warns Word users of ongoing attacks exploiting unpatched bug – Computerworld

Biggest worry, says expert, is that exploits are triggered just by previewing malicious messages in Outlook 2007, 2010 and 2013

Microsoft today warned users of Word 2010 that in-the-wild attacks are exploiting an unpatched vulnerability in the software.

The company also published an automated tool to protect customers until it issues a patch.

An attacker could cause remote code execution if someone was convinced to open a specially-crafted Rich Text Format (RTF) file or a specially-crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer,” said Dustin Childs, group manager and spokesman for Microsoft’s Trustworthy Computing group in a blog Monday.

BOLD in the quote is mine.

Microsoft put out a Security Advisory 2953095 as Corrine noted on her Security Garden Blog including Fix it buttons for enabling and disabling reading email messages in plain text format.

This is one of the things for which both Microsoft in Outlook and Apple in Mail have massively fallen down on the job. This would not be happening if you could easily toggle various view options such as HTML or Plain Text for reading emails, as well as allowing and disallowing images inline.

This is something that I am very thankful that Mozilla Thunderbird got right from the very beginning. Mozilla Thunderbird gives very granular control regarding the various ways to Display email messages such as in PLAIN TEXT, SIMPLE HTML (simple html with javascripting disabled), or ORIGINAL HTML.

You also have control over how images are displayed or not in several ways and differentiating between attached images and remote images.

You can also close to enable do not track in emails. There are Security Add-ons like Adblock PlusEnigmail (OpenPGP), more. As well as lots of specialized Add=ons. One of these that I like is QuickText and a few others. It works on Windows, Mac and Linux.

There is also a pay to play $9.95 I think, but also has a free trial. It was originally for Macs and now there is a Windows version as well. It was created by the original developers of Thunderbird called Postbox. It has some but not all the Add-ons that Thunderbird has.

/rant on

I am not saying everyone should move to Mozilla Thunderbird. What I am saying is that Microsoft Outlook and Apple Mail should give their users these types of granular control so people can choose how they wish emails to be viewed. Both do some things but they stop way short of what is really needed in this day and age with emails.

HTML is like a venetian blind. It hides what is behind it. You can’t see what is behind all that HTML. You can’t decide to see HTML only if you trust the email after viewing what is in that email. This makes it way too easy for phishing emails to look like your bank, PayPal, your credit card company, etc. It also allows companies to track you with web beacons, transparent gif images and other remotely loaded images so they know if and when you view their email.

Something needs to be done about all this. Mozilla Thunderbird makes it so easy for folks to be able to toggle images so they can’t track you, use SIMPLE HTML to keep the ‘form’ of an email message without the more dangerous javascripting. Or allows you to totally view the email in plain text so you can see that that link that appears to be going to your bank actually goes to some strange URL that has nothing to do with your bank or a store you may or may not do business with.

People need these tools. Some may or may not realize it, but they really do.

I have heard so many people say that the email look just like it was from their bank and they fell for it. Or a store they frequent and gave up their login credentials by clicking on the link rather than going to the website because it looked like it was the store’s promotion.

Sure, no one should click on links in email, but if it looks legit, many do. Sure, if you like something in a promotion for a store, it might be better to just go to the store’s website but some stores really don’t have a page on their website that is clickable to get you there, unless you click on the link in an email. Also, the links are often obfuscated by third party trackers and campaign tracking sites, etc. This all makes life very difficult for email users to know what’s good and what’s not.

OK, I will get off my soap box now.

/rant off

 

Advertisements

Microsoft moving Hotmail users to Outlook.com

Microsoft moving Hotmail users to Outlook.com this Summer.

Here’s some pointers from a CNET article about the move:

Microsoft announced earlier this week that it is closing Hotmail and moving the “hundreds of millions” still using it to Outlook.com by this summer.

The move isn’t unexpected, but perhaps more sudden than some anticipated. Hotmail users, once they move (or are moved) will get Outlook.com’s clean, Metro-Style interface for their mail — and ultimately, calendars. (For a walk-through of the user-interface changes Hotmail users will see, check out this Microsoft FAQ.)

One of the most important things folks will want to know is if their favorite browser will work with Outlook.com. Well, looks like it will work much better than Hotmail or MSN email did in other browsers.

Outlook.com is optimized for Internet Explorer 8, 9, and 10; Google Chrome 17 and higher;Firefox 10 and higher; Safari 5.1 on Mac. It also works relatively well on IE 7, Google Chrome 16 and 5; Firefox 9 and 5; Safari 5.1 on Windows and Safari 5 on Windows and Mac. It doesn’t work at all on IE 6 and older; Google Chrome 4 and older; Firefox 4 and older; and Safari 4.X and older.

And you won’t have to move your email address if you don’t want to:

Do I have to get a new email address?

No. You can keep using your existing @hotmail.com, @live.com, or @msn.com address. Or you can get a new @outlook.com address.

Much more in the Microsoft FAQ including a video.

Emails with Malware URLs

It is amazing to me how many malicious emails one can get!

Just today, I got one that purported to be from CNBC, however, the link was not any of the CNBC franchise websites. So I thought, well, maybe I missed one?

I searched Google for the root domain name in email link and it tried to give me real life news channel results which were of course all legitimate websites, not the dangerous one that was in the email.

However, it did give the ability to search on the exact domain again if I really meant it, which of course I did. The only links available — which I was very happy to see — for that domain name were several links to malwareURL.com – (The MalwareURL Team is a group of Internet security experts dedicated to fighting malware, Trojans and a multitude of other web-related threats) that exposed the website in the email as a malware site for a work at home scam:

This web site is a known security risk – Detailed web site security report

Security Category: Work-At-Home scam

The results on the link above about the website stated the following:

Domain matching reallivenewschannel.com were found in our database.

1348 other active domains were found on 707 IP(s) for AS30058 (FDCSERVERS)

Show the report for AS30058 (FDCSERVERS)

Malicious URLs on reallivenewschannel.com
/weeknews/lastnews.php
/weeknews/go.php

Blacklist
Google
Google Diagnostic Page

My WOT
WOT Score Card

hpHosts
hpHosts listing

MalwareDomainList
MDL listing

After the above information, there was information specific to the domain.

Interestingly, the domain appears to be registered in NY, USA.

The name servers are in .RU/Ukranian domain origins.

In addition, this malware link in the email had a prefix that looked like the following, except I changed the numbers in the link:

cf533cb444.reallivenewschannel.com

NOTE: Notice the above is not a live link as we don’t want to visit under any circumstances, unless you are a security researcher preferably using a throwaway Virtual Machine or live CD.

If I had looked at this email in full HTML as it was intended by the malware purveyors, it would have looked somewhat like the following in simple HTML except it would likely have had the look of a CNBC website rather than just the text as it does in simple HTML:

A CNBC Event – Work At Home Mom Makes Almost $10,000/Month, Part-Time

Patricia Feeney of , never thought she’d have a job working at home until she filled out a simple form online, one afternoon. Before she knew it, she had discovered her secret to beating the recession and no longer had worries about being able to provide for her family – and she did all of this by working from home. » Continue reading

CNBC
To unsubscribe to this email click here. If this e-mail was forwarded to you and you’d like to sign up for additional alerts from CNBC click here.

© 2012 CNBC, Inc. All Rights Reserved. 900 Sylvan Avenue, Englewood Cliffs, NJ 07632

See where the Continue reading is? That was the link, totally obfuscated from view to trick users into thinking it was a CNBC link when actually it was linked to the full malware URL I have been discussing in this posting.

Pretty convincing isn’t it? Looks like a legitimate email from CNBC.

If you looked at the email source, you would also have seen that the real Return path is not CNBC, but a user from a .pl domain.

Thankfully, SpamAssassin did give it a 6.5 Spam Status level (required was 5 so it was 1.5 beyond the level required to be considered Spam. X-Spam-Report says the following:

X-Spam-Report: 
*  2.3 FROM_STARTS_WITH_NUMS From: starts with many numbers
*  1.8 URI_HEX URI: URI hostname has long hexadecimal sequence
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  2.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
*  0.1 RDNS_NONE Delivered to trusted network by a host with no      rDNS

Sadly, many emails that look like they originate from legitimate sites come in every day and people are often fooled by them. Many times just because they look at emails in HTML.

These types of things would fall by the wayside if everyone was more wary and understood that when they send out millions of emails like this likely every day or every week, it only takes 1.5% of the people to respond to make it well worth while to the spam, malware, phishingspear phishing, or scam (or any combination together) purveyors.

Also check out the Anti-Phishing Workgroup website for more information.

There are many of us who have been using email clients that allow you to view emails as Plain Text such as; Thunderbird (opensource – free – accepts donations), Postbox ($9.95 – based on Thunderbird and by original Thunderbird developers), Pegasus (free but proprietary – accepts donations), and there are many others that allow plain text. Most Linux based email clients give this ability as well.

Oddly, however, although Apple Mail granularly allows you to choose (after already choosing the email message) to read in plain text on an email by email basis — Apple Mail DOES NOT have an option in Preferences that allows you to choose to view emails as Plain Text by default which would prevent many problems with these dangerous types of emails. This is very sad news for Apple users. Microsoft Outlook DOES NOT give users the ability to view emails in Plain Text either (on an email by email or by option in preferences). I would very much like to know why Microsoft and Apple do not give that option to people. These are the two most ubiquitous email clients used in OS X and Windows.

I have read emails in plain text from the very beginning. Intentionally. Simply because I don’t want to be accidentally fooled by this type of  spammalwarephishingspear phishing, or scam.

Email clients like Thunderbird (opensource – free – accepts donations), Postbox ($9.95 based on Thunderbird and by original Thunderbird developers), Pegasus (free but proprietary – accepts donations) give the ability to view in original HTML, simple (non-executable) HTML or Plain text. They also give you the ability to allow or disallow images inline! Very important if you wish not to be tracked by email senders with beacon ads, web beacons, web bugs. These email clients also give an easy way to view the source of an email so you can do your own investigation of information in the headers or body of the email, and to facilitate sending comprehensive email information about spammers, etc. to sites like PayPal, Google, eBay, your bank, etc.

Sadly even many website based email clients, like GMail, Yahoo Mail, Outlook.com, Hotmail, MSN Email, etc, go only half way in regard to these very necessary capabilities … if that.


			

Tis the season to be scammed….

Tis the season to be scammed …. yep it’s starting already!

Cybercriminals start spamvertising Xmas themed scams and malware campaigns – ZDNet – Zero Day

Dancho Danchev for Zero Day writes;

Security researchers from Symantec are warning about a recently intercepted flood of Xmas themed malicious and fraudulent campaigns. Isn’t it too early for such type of campaigns to be launched, or are the spammers behind these campaigns relying on a different set of marketing tactics? The campaign is a great example of a flawed event-based social engineering attempt. Not only are the senders completely unknown by the recipients, but also, users are exposed to fraudulent E-shops for counterfreit shops, something that weren’t looking for to begin with.

Joy!

Just what people needed, right? More Spam and Malware!

Be wary of your inbox – don’t be duped! – and realize it will only get worse as time gets ever closer to the Holidays.

More from Symantec’s website article: You Have Received a Christmas Card

It is more than a month until Christmas, but spammers are all set to spam the vacation season. We have observed Christmas related spam messages flowing into the Symantec Probe Network.

For greeting card spam, spammers used a legitimate look and feel in the email with headers (Subject & From) and flash animations that included a message to open the “Christmas Card.zip” attachment. After opening the attachment, the malicious code is downloaded on to the user’s system. Symantec detects the attachment as W32/AutoRun.BBC!worm.

Fake product offer Web page (Symantec article on Christmas card scam and malware)  - Click image to view the article at Symantec

Fake product offer Web page (Symantec article on Christmas card scam and malware) – Click image to view the article at Symantec

This is just one of likely a huge number of scams to get malware on your computer. Beware your email bearing cards and unwanted embedded malware (malicious software)!

I am also pretty sure they will not keep it to just email either. We should also be wary of ads on webpages with this type of scam too. So be very careful when surfing around the Internet as well!

Dangerous Internet Explorer Flaw Jeopardizes GMail accounts

‘State-sponsored attackers’ using IE zero-day to hijack GMail accounts – ZDNet:

Microsoft’s advisory speaks of “active attacks” and follows a separate note from Google that references the IE flaw “being actively exploited in the wild for targeted attacks.”

IMPORTANT: This is not the MS12-037 that Microsoft just patched this week on Patch Tuesday.

This is a zero-day vulnerability. Both Microsoft and Google have issued warnings regarding it.

There are Twitter warnings all over the place about “Warning: State-Sponsored attackers may be trying to compromise your account or computer“.

In leiu of a patch for Internet Explorer to fix this vulnerability, Microsoft has devised a “FixIt” Tool intended to block the attack vector:

Microsoft Knowledge Base Article 2719615

Also, according to the ZDNet article:

Microsoft also recommends that Windows users deploy the Enhanced Mitigation Experience Toolkit (EMET), which helps prevent vulnerabilities in software from successfully being exploited.

However, either way, it makes great sense to use Microsoft’s “FixIt” Tool to mitigate this zero-day Internet Explorer vulnerability whether you use Internet Explorer or not.

If you do not wish to use the “FixIt Tool”, you could also use the pre-advisory instructions under the Suggested Actions section to mitigate the problem by disallowing Active Scripting from automatically running on your system (set it to prompt you to allow).

Religious websites riskier than porn for online viruses: study

Religious websites riskier than porn for online viruses: study – Raw Story

Web wanderers are more likely to get a computer virus by visiting a religious website than by peering at porn, according to a study released on Tuesday.

“Drive-by attacks” in which hackers booby-trap legitimate websites with malicious code continue to be a bane, the US-based anti-virus vendor Symantec said in its Internet Security Threat Report.

The same article, or variations on the theme have been have been run by many news/technology venues such as InformationWeek, NYDailyNews, WallStreetJournal Blogs, CSO Online, PCWorld, etc. Many created their own stories from the report, so well worth a read.

Where did all this information come from:
Symantec Internet Security Threat Report – 2011
Symantec Logo - Confidence in a Connected World - Click to view Malicious Code Threat Report 2011

Malware in 2011
By analyzing malicious code we can determine which threats types and attack vectors are being employed. The endpoint is often the last line of defense, but it can often be the first-line of defense against attacks that spread using USB storage devices, insecure network connections and compromised, infected websites. Symantec’s cloud-based technology and reputation systems can also help to identify and block new and emerging attacks that haven’t been seen before, such as new targeted attacks employing previously unknown zero-day exploits. Analysis of malware activity trends both in the cloud and at the endpoint can help to shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers.

Corresponding to their large internet populations, the United States, China and India remained the top sources for overall malicious activity. …

The reference about religious sites?

Moreover, religious and ideological sites were found to have triple the average number of threats per infected site than adult/pornographic sites. We hypothesize that this is because pornographic website owners already make money from the internet and, as a result, have a vested interest in keeping their sites malware-free – it’s not good for repeat business.

And here’s just one more small area of the report:

Exploiting the Web: Attack toolkits, rootkits and social networking threats

Attack toolkits, which allow criminals to create new malware and assemble an entire attack without having to write the software from scratch, account for nearly two-thirds (61%) of all threat activity on malicious websites. As these kits become more widespread, robust and easier to use, this number is expected to climb. New exploits are quickly incorporated into attack kits. Each new toolkit version released during the year is accompanied with increased malicious Web attack activity. As a new version emerges that incorporates new exploit functionality, we see an increased use of it in the wild, making as much use of the new exploits until potential victims have patched their systems. For example, the number of attacks using the Blackhole toolkit, which was very active in 2010, dropped to a few hundred attacks per day in the middle of 2011, but re-emerged with newer versions generating hundreds of thousands of infection attempts per day towards the end of the year.
On average, attack toolkits contain around 10 different exploits, mostly focusing on browser independent plug-in vulnerabilities like Adobe Flash Player, Adobe Reader and Java. Popular kits can be updated every few days and each update may trigger a wave of new attacks.
They are relatively easy to find and sold on the underground black market and web forums. Prices range from $40 to $4,000. …

The whole report is well worth a read! There is only so much you can put into an article.

Much more in the report!